1 2 Previous Next 11 Replies Latest reply on Sep 28, 2008 4:17 PM by Gazz300

    AV Outbreak Preparedness Planning

      Does anyone know of any threads which might describe best practices for a virus outbreak preparedness plan for ...say...1000 workstations? We all remember the days when a virus/worm outbreak would cripple all workstations - and left users off-line until desktop support could come by and scan their machines, off-line, before letting them back on the network. I want to plan for the worst and I would say that would be a "worst case" scenario.

      I've built a scanning CD with the SDAT extraction scanning utility but it just takes far too long to boot into XP safe mode and start the scan. Not to mention that I'm still relying on the workstations OS to get to Safe Mode - a virus could make this approach unusable.

      No floopies on any boxes.
      All boxes have CD and USB 2.0

      Any ideas?

      Thank You
        • 1. RE: AV Outbreak Preparedness Planning
          SergeM
          I'd say this implies preparing some bootable CD (BartPE or similar) with modules for an antivirus...
          But you obviously can't burn the bootable CDs in advance as the antivirus (definition files) needs to be up-to-date. I don't know if McAfee VSE has this option somewhere.

          - S -
          • 2. RE: AV Outbreak Preparedness Planning
            Thanks for the reply. From the lack of interest on this topic I'm going to assume that not many people worry about this scenerio. But any admin. that's been around a while has gone through it, at least once.

            Currently I have a few W/R CD's setup with the SDAT extracted into a scanning utility. But you have to still boot into Command Prompt Only to run it. Booting into F8 Command Prompt Only still implies that your OS is still working. I update the CD's about every two weeks and anytime something bigger comes out. I wonder if there is a way to use PXE network booting to do this?
            • 3. RE: AV Outbreak Preparedness Planning
              SergeM


              I'm not sure it's lack of interest... (I'm interested ;)
              But then I'm not sure how I'd face having to scan/fix 100+ (let alone 1000+) workstations. I get a feel that I'd rather fix them with a Ghost than have to scan & repair 10^x workstations (we're in the 10^4 here). Hell that why we take so much precaution, so it doesn't happen.

              But about your question, I'd definitely go for a modified BartPE build. So you have an independent bootable CD with its own OS independent from the workstation and it's able to read & fix any WinFS including NTFS...

              I keep a laptop ready with BartPE ready to burn... it's not usually on our Net and in case of need I can get it to any available Net (e.g. WiFi in the area) and d-load the DAT and burn the CD at will. Haven't really tried it an am not eager to live-try it :/

              S
              • 4. RE: AV Outbreak Preparedness Planning
                tonyb99
                I have the avira antivir rescue CD ( gets rewritten every day with new definitions) but then set up as a bootable USB drive using instructions from the ask the geek blog.
                This is fast and seems to work pretty well

                Avira antivir rescue system iso is the one you want from
                http://www.avira.com/en/support/support_downloads.html

                Instructions on how to make this a bootable usb drive rather than just a rescue CD:
                http://askthegeek.kennyhart.com/2008/09/how-to-make-bootable-thumb-drive-virus.h tml
                • 5. RE: AV Outbreak Preparedness Planning
                  Gazz300
                  I'd say that this kind of plan is just a plan for planning. If this happened and you had to visit 1000 plus machines you'd be at it for a week or more.

                  A better stance is to firm up VSE85 with AP policies and BO active and have alerting in ePO for virus not removed.

                  A question to ask is what virus these days is really is designed to kill a machine? Not that many in my opinion. A dead machine can't talk and a machine that can't talk is not worth anything to commercial Malware writers and BOT herders. They pay and maintain this Malware for the purpose of sending SPAM and collecting valuable information to use or resell.

                  So weigh up the time and effort spent in constant readiness plus the time it would take to carry out the plan and I am not sure its worth it. Better to spend your time looking at ePO reports, SANS news bytes, Symantec's Security Response and My AVERT Portal for trends and detections plus add something like SiteAdvisor enterprise and good proxy blocking of Malware infected sites to minimise any effects. (I know its reputation rated as well)

                  Add a good patching policy onto this and the likelihood of this occurring will be low. Segment your network, add vLANs, ensure proper password policies, Share security, external message scanning or a few passes with different scanners internally for Malware and SPAM\phishing emails and you will be nearly there.

                  I also have outbreak policies to enable in the event of an outbreak plus a good action plan to follow though to contain a threat as quickly as possible.

                  This is my take on it. I manage AV for over 11000 machines with a backup person and this has stood us in good stead for a long time.
                  • 6. RE: AV Outbreak Preparedness Planning

                     

                    I also have outbreak policies to enable in the event of an outbreak plus a good action plan to follow though to contain a threat as quickly as possible.



                    Can you elaborate on these policies?

                    I imagine they include blocking SMTP if you otherwise have it open, blocking open shares and the like, but I am curious about what other policies you have set for combating an outbreak.

                    Thanks,
                    Jim
                    • 7. RE: AV Outbreak Preparedness Planning


                      You have a point. A virus to kill every box, or many boxes, would be a very unlikely occurrence. But...a denial of service attach (IMHO) is a very real possibility. Call me neurotic Maybe the OS security patches delivered by the vendors are frequent enough to keep that from happening.
                      • 8. RE: AV Outbreak Preparedness Planning


                        Everyone...please keep in mind that I'm talking about a worst case scenario. Not probable but it is possible.

                        We have a liaison in each department that can jump in on situations that call for more IT help - such as this. And..if they know their department isn't getting back on-line until they get their boxes scanned then that would be a strong motivator. Handing them a USB stick and letting them go for it will be a pretty fast operation. 4-6 hours and a majority would be good-to-go.

                        Keeping a laptop off-line is a good idea.
                        • 9. RE: AV Outbreak Preparedness Planning



                          Wow! Getting the box booted up via the USB stick and starting to scan with that setup is fast. The scan is still a wait but all of them are. I like it and I'm going to put that in my "virus attack day" toolbox. If I build 10 or 20 sticks (500mb sticks are dirt cheap) and have them ready to update and hand out, we should be good to go.

                          tonyb99.... and everyone else.....THANK YOU!
                          1 2 Previous Next